Monday, 31 December 2012

In homage to the eight Data Protection Principles, I humbly
offer eight predictions for 2013. There’s good news for some, and less good
news for others. Early in 2014, I hope to revisit this list to see how I’ve fared.

1. The data protection industry will continue to flourish

Data protection is increasingly considered as a profession,
rather than a trade. But, the race to professionalise the industry is
accompanied by a desire, certainly on the part of those in the ascendant, to
over complicate concepts that ought to be readily understood by everyone. The
race to develop elaborate data protection laws will increasingly be seen as a
form of data protection exclusion, or apartheid. When only the brightest of the
bunch can comprehend the relevant laws, data protection salaries will soar for
those working in the few sectors that really can afford to care about privacy.
Eventually the bubble will be pricked by the pragmatists, who will argue that
standards need to be capable of being understood and implemented by people like Homer Simpson
as well as Albert Einstein, if they are to be universally applied. But that
bubble won’t be pricked in 2013.

2. Minor privacy breaches will become less newsworthy

The public will tire of reading about the same old issues. Just
as celebrities are recycled, and reality TV shows generate transient micro
celebrities, new stories will emerge to keep data protection in the public eye.
Trivial data breaches will become less toxic to brands, as there will be so
many more reports of more significant incidents. Commentators will increasingly
challenge the regulator to do something about them, while simultaneously
calling for further cuts in public expenditure to address Britain’s economic
woes.

The financial impacts of the public policy aim to improve
data protection norms will result in a public fight between (1) privacy
campaigners, who just want higher standards regardless of the costs; (2) data
controllers, who concede that data protection standards need improving, but not
at the expense of reducing the focus on other, more pressing corporate
requirements; and (3) regulators, who will do whatever is necessary to keep
their own agenda in the public eye. Frankly, I wouldn’t bet on the changes of
the fundamentalists winning this epic battle.

4. More research will be commissioned on the point of
regulating privacy

If we know anything from existing research on privacy, it’s
that different sections of the community in different countries consider
different aspects of their lives to be “private and personal”. They do not care
so much about other aspects of their lives.This will further question the “one rule to rule them all” strategy,
which is currently proposed to address EU data protection issues. There will be
increasing acceptance that data protection is not a “fundamental right” but a
social strategy – and one that will be hard to apply across a group of nation
states whose societies and cultures are not aligned. Supporters of the
subsidiarity principle will continue increasingly challenge the European
Commission about its competence to regulate privacy.

5. A fundamental review of the ICO’s Civil Monetary Penalty
strategy will be announced

Everyone needs a regular review of their practices, to
ensure that their strategies are working effectively. An independent analysis will be
commissioned on the extent to which the ICO’s current strategy has led to
behavioural change and improved data protection standards, especially among local authorities. Can it be right that so many self-reported breaches result
in Civil Monetary Penalties? How does this incentivise self incrimination? Will
the ICO’s health and safety team have to issue a warning the enforcement team
that they could easily strain their back muscles by bending down to collect so
much low hanging fruit?

6. The Ministry of Justice will commission a very discrete
search to identify a suitable replacement for Christopher Graham, Information
Commissioner, after which a fair and open competition will be announced

Christopher Graham’s term of office expires in June 2014. The
next incumbent will probably serve a fixed term of 7 years. It will be
interesting to learn whether the new Commissioner is as keen on dealing with internal
management issues, compared with policy issues. With an organisation the size
of the ICO’s, it’s going to be pretty hard to find someone with an equal
interest in both.Especially if a
significant part of their time will be devoted to restructuring the ICO should
Parliament decide that the organisation needs to be even more selective to be
effective.

7. The ICO’s Management Board will commission a very discrete
search to identify a suitable replacement for David Smith, Deputy Information Commissioner,
should he decide to retire

David is an extremely experienced and respected member of
the data protection community, but even he might wish to retire in the next few
years. Finding a replacement will not be easy. But it is critical – for if the
new Commissioner is to be seen as the management strategist, then the policy
heavy lifting will need to be led by an authoritative expert who can quickly
earn respect from all sides of the community. Unlike the fixed term of the
Commissioner, though, this very important (and unelected) post could be held by
an incumbent for the rest of their working life. Or, the next jobholder will need to be a
management bruiser, capable of delivering organisational change while the
Commissioner focuses on policy.

8. Someone with data protection experience will join the ICO

Why should this be such a farfetched prediction? Surely,
it’s about time that, rather than merely incubating raw data protection talent
that acquires experience and a formal ISEB qualification, before leaving to
work elsewhere, someone who already knew quite a bit about the subject joined
the regulator.

Sunday, 23 December 2012

This is my penultimate blog for this year. The final blog,
to be published on New Year’s Eve, will review the most significant
developments of 2012, and offer a few predictions about the challenges ahead.

For me, my perspective on data protection has changed
considerably during the past 12 months. From being a full time employee of a
major company, where the considerations naturally focussed on what was
marginally more beneficial for the data controller, I’ve become an independent
consultant, where a more evenly balanced view of the needs of the data controller
and of the individual has to be taken into account.

While full time employment certainly has its advantages, in
terms of a regular income, my new role has opened doors into new worlds that I might
well not have stepped through. The communications world has been very familiar
territory for well over a decade, but I’ve recently been able to renew my acquaintance
with the financial services world, and I’m becoming increasingly familiar with
the issues that face utility companies, the health sector and the media.

Other worlds that I do hope to explore in even more detail in
future include the worlds of public policy and regulation. Decisions are made
by those who turn up – and I do hope to be able to turn up and influence an
increasing number of these decisions in 2013. Most of the people I have met in
public life share a passion to make this world a better place. They may well have
very different views about what a better place looks like, but I can’t, for the
most part, fault them for their sincerity and commitment to do good deeds. The
disputes will continue to focus on whether their vision is credible and
realistic, and on who will provide the resources that will be necessary to
build their better world.

There are exciting opportunities ahead. I sill wake up each
day with a passion to do my best and to advocate practices that I believe to be
fair and transparent. And while this passion remains, I also hope to continue
to blog about things that matter to me.

So, many thanks to those who have written to me privately
over the past year, commenting on this blog. I’ll continue to respect your confidences. It
is, though, reassuring to know that so many of my opinions are shared with
other professionals in this field.

Friday, 14 December 2012

In the last of this series of blogs on the Joint Committee’s report, I
thought I would report on some of the comments I’ve heard. None of them are
surprising, and I’m sure that none will be ignored by Home Office officials
either, who I expect are working hard to ensure that, when a redrafted Bill id
presented for scrutiny, very few of the criticisms that were made about the
last version could be made again.

I’m sure that everyone is keen to devise a pragmatic solution that can
be accepted by one and all.

I recently heard a very eminent politician, drawing on his many
years of experience, remark: “What is in the public interest doesn’t usually represent
the interests of members of the public”.

In this particular case, I very much hope that any legislation ultimately
passed by Parliament will indeed represent the interests, and concerns, of all stakeholders.

"Rarely can a parliamentary report have been so thorough and so damming...For those of us who have lamented the lack of rigour in parliamentary scrutiny, the work by the Joint Committee on the Draft Communications Data Bill is a refreshing departure. It dissects each assertion put forward by Theresa May and her manderins. It accepts that there is a case for legislation "which will provide the law enforcement agencies with some further access to communications data", but it adds: "We believe that the draft bill pays insufficient attention to the duty to respect the right to privacy, and goes much further than it need or should for the purpose of providing necessary and justifiable official access to communications data." ... For the moment, parliament has done its job. Credit where it is due. It has held light to ane executive power, and found it cavalier."John Kampner, The Guardian

"I compliment the Committee for its report ... incredibly professional."David Davis MP, speaking at a press conference on 11 December"Almost exactly 14 days before Christmas, the Joint Committee on the Draft Communications Data Bill has delivered an early present ... It adds up to a damming indictment of the proposals and how they were put together. The cross party Committee examined this draft Bill in extreme detail and with great care over the past six months. And they found the Bill did not bear scrutiny."Peter Bradwell, from the Open Rights Group"We are pleased that the Committee has echoed our concerns, particularly about the unsubstantiated costs and benefits of the Bill." Facebook

We are really pleased that the Committee recognised the impact that the Bill could have on business." Sarah Kelly, director of the Coalition for a Digital Economy.

"Finally a grown up debate about communications surveillance."Gus Hosein, director Privacy International

"The first battle may have been won but the war is still very much to come. Any assertion fro the Home Office that a small amount of tinkering and minor changes will be adequate is completely unacceptable. The Committee has exposed weak evidence, misleading statements, and fanciful figures, and the recommendations highlight the very basic errors that have been made."Emma Carr, the Commentator.com

"T May must rethink Data Comms Bill. Thoughtful report finds it unworkable, uncosted and too much power to Home Sec."Rt Hon Yvtte Cooper MP, Shadow Home Secretary "This is a very difficult issue and I welcome the Committee's thoroughness."Rt Hon Nick Clegg MP, Deputy Prime Minister"We recognise this is a difficult issue. We will take account of what the Committee said."Prime Minister's spokesman.

Thursday, 13 December 2012

Today, I’m setting out some of the recommendations
in the Joint Committee’s report that have not received any significant media
attention.

While this week’s media reports have
concentrated on the Bill’s defects, it is accepted that some form of official access
to some types of communications data is necessary.

Accordingly, what measures ought to be
in place to maintain an appropriate level of official accountability and public
reassurance, once it has been determined what types of data should
investigators be able to access?

The
authorisation process

The Single Point of Contact process should be enshrined in primary
legislation. A specialist centralised SPoC service should be established
modelled on the National Anti-Fraud Network service which currently offers SPoC
expertise to local authorities. The Home Office should consider allowing police
forces to bid to run this service. This new service should be established by
statute, and all local authorities and other infrequent users of communications
data should be required to obtain advice from this service.

Although approval by magistrates of local authority authorisations
is a very recent change in the law, we think that if our recommendations are
implemented it will be unnecessary to continue with different arrangements
applying only to local authorities.

The
Interception of Communications Commissioner

The IoCC should carry out a full review of each of the large users
of communications data every year. While sampling is acceptable as a way of
dealing with large users, the requests of users making fewer than 100
applications in a year should be checked individually. The annual report of the
IoCC should include more detail, including statistics, about the performance of
each public authority and the criteria against which judgements are made about
performance. It should analyse how many communications data requests are made
for each permitted purpose. For this the IoCC will need substantial additional
resources, both as to numbers and as to technical expertise. There should be
full consultation with him on this. His role should be given more publicity.

The IoCC's brief should explicitly cover the need to provide
advice and guidance on proportionality and necessity, and there should be
rigorous testing of, and reporting on, the proportionality and necessity of
requests made.

The IoCC will be key to public confidence in the Request Filter.
The IoCC will need the necessary expertise properly to examine the operation of
the Request Filter. He will have to report on the scale of searches via the
Request Filter and rigorously test the necessity and proportionality of
requests put to the Filter. All this information should be included in the
public section of his annual report so that if there are any signs that the
Filter is resulting in more intrusive requests Parliament can review the
legislation.

The
Information Commissioner

If the Government believe that additional safeguards can be
provided by the Information Commissioner, they should undertake detailed
discussions with him as to what such safeguards might be, how they might be
undertaken, and what additional powers and resources he might need. The Bill
should make clear that the Information Commissioner will need to be shown all
notices issued under clause 1.

Other
Surveillance Commissioners

Work should be done to rationalise the number of commissioners
with responsibility for different areas of surveillance. This work should aim
to simplify the situation and make it easier for the public to understand,
while ensuring that all surveillance powers are subject to rigorous oversight.
Consideration should be given to a new unified Surveillance Commission
reporting to parliament with multi-skilled investigators and human rights and
computer experts.

Security and
destruction of data

We consider the Home Office's cost estimates may underestimate the
cost of security and destruction of data. Since the cost of security and
destruction will ultimately be borne by the taxpayer, the Home Office will have
to carry out a careful cost/benefit analysis and obtain advice and assurances
from a wider body of experts that the companies that stand to earn money from
devising secure storage solutions.

Offence of
misuse of communications data by a public authority

The House of Commons Justice Committee recommended that the power
under section 77 of the Criminal Justice and Immigration Act 2008 should be
exercised "without further delay". Nearly a year later the Home
Affairs Committee reached the same conclusion. We agree with the Information
Commissioner and with both these Committees that this power to allow custodial
sentences to be imposed in appropriate cases should be exercised without delay.

The Bill should provide for wilful or reckless misuse of
communications data to be a specific offence punishable in appropriate cases by
imprisonment.

In the final blog of this short series, I’ll
be reviewing some of the immediate reaction to the report’s recommendations.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.